Yes I realized after creating the last post that the pma password settings in the Security section had been removed and for good reason.

The pma password is no longer required in a development environment, that is the XAMPP default settings, and poses no security threat but a plain text password for everyone to see in a text file is and so becomes pointless, root and any pma passwords in plain text in a readable by all text file is counter to common sense.

The lesser of the 2 evils is not to create a pma password rather than add a plain text password in a config file giving a false sense of security and is the reason it was removed from the Security page after 1.7.3 because the setting of a pma password created too many issues and was not really necessary.

Security concerns about using a password for pma is purely a perception not a reality in the development environment that XAMPP is created for.

I will explain that:If you configure phpmyadmin to use cookie or http for login (which we recommend), it is possible to login with pma by server request. Because of the XAMPP security concept it is only possible from localhost, but many users disable or want to disable that.

If you set a password for the pma user in database and config file it is not enough to just can send requests to the server, you need file access to get the password. I think thats one more point for security.

But mainly we aggree together, i think

We don't provide any support via personal channels like PM, email, Skype, TeamViewer!

I take it your explanation was aimed at those reading these posts, not at me as that would be termed "trying to teach your Granny how to suck eggs".

It all boils down to XAMPP only being used for development at localhost with it's quite adequate security concept and not to an open Internet.

For developers even adding the root password, a pma password and securing XAMPP files and folders, so that every time you want to use XAMPP you needlessly have to enter time wasting credentials can be unnecessary.

A good firewall will prevent access from the Internet as mine does - it ask me if so and so can access Apache or MySQL - because there are always those pesky idiots scanning ports for open access but a firewall must be effective in both directions or it is a security risk and a total waste of time.

My firewall is setup to block thenban those who scan or attempt to access from ever doing it again.

Anyone who uses XAMPP for anything other than it's intended purpose deserves all the resulting hassle they get - but more importantly ignoring this advise has repercussions for many innocent Internet users because their XAMPP server WILL becomes a zombie stepping stone for mal practices.

well, just to close this post, i didn't change pma user password because i didn't know exactly where to place the password, so if you explain it more about where to put it in that config" you mean, i'll appreciate itand for your advises regarding the plan text, i do undertand thank you a lot for everything guys

Sharley wrote:I take it your explanation was aimed at those reading these posts, not at me as that would be termed "trying to teach your Granny how to suck eggs".

Yeah. Granny Sharley, interesting comparison

Sharley wrote:A good firewall will prevent access from the Internet as mine does - it ask me if so and so can access Apache or MySQL - because there are always those pesky idiots scanning ports for open access but a firewall must be effective in both directions or it is a security risk and a total waste of time.

Totally agreed!

its me wrote:i didn't change pma user password because i didn't know exactly where to place the password, so if you explain it more about where to put it in that config" you mean

\xampp\phpMyAdmin\config.inc.php

...$cfg['Servers'][$i]['controlpass'] = 'your password here';...

We don't provide any support via personal channels like PM, email, Skype, TeamViewer!

hey I didn't read the whole thread (just was looking to see which databases I could delete to tidy things up.. about to do some local magento development and I gather from the beginning of this thread that don't need the preinstalled databases except those 3: "*_schema" and phpmyadmin. Interestingly, in phpMyAdmin, if I click "Select all", all but only two can be selected (the 3rd from the supposedly vital databases, which IS allowed to be selected for dropping, is the performance_schema database -- so I wonder if it is really not needed -- doesn't really matter though, more of a curiosity, I'll probably leave it alone)

Last edited by Sharley on 29. December 2011 07:15, edited 1 time in total.
Reason:Sorry, no commercial linking allowed (Spam).

oh boy, looks like I made a mistake .. actually it lets you select phpmyadmin, somehow I had confused it with mysql which it doesn't allow you to delete. So, I have a hosed install and will be reinstalling luckily it is a breeze. best regards